Chip Flaws ‘Meltdown’ and ‘Spectre’ Loom Large

The HPC and wider tech community are abuzz over the discovery of critical design flaws that impact virtually all contemporary microprocessors. The bugs leave processors vulnerable to side channel attacks where malicious programs can steal information from applications’ memory. Worse news yet, some of the fixes for these flaws are either unclear at this point or may be associated with significant slowdowns.

As the story developed, many media reports focused on the “Intel chip flaw,” but the problem is much bigger than that and impacts AMD and ARM CPUs as well. The New York Times has covered the moving pieces, reporting that here are two major flaws. The first, dubbed Meltdown, has currently been shown to impact only Intel microprocessors (due to the way Intel handles speculative execution, covered comprehensively by Ars Technica). A Linux patch called KPTI (formerly KAISER) mitigates the security gap, but its implementation can degrade processor speed by as much as 30 percent, depending on the application.

The second issue, called Spectre, is conceivably even more problematic as it affects virtually all chip lines on the market, leaving potentially billions of devices, including phones, vulnerable to exploits. Security researchers believe this flaw is more difficult to exploit but also harder to assuage. “There is no known fix for it and it is not clear what chip makers like Intel will do to address the problem,” wrote the Times.

Intel released a statement yesterday downplaying the ramifications and emphasizing that competing chips are also affected.

“Intel and other technology companies have been made aware of new security research describing software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from computing devices that are operating as designed. Intel believes these exploits do not have the potential to corrupt, modify or delete data,” the company asserted.

“Recent reports that these exploits are caused by a ‘bug’ or a ‘flaw’ and are unique to Intel products are incorrect. Based on the analysis to date, many types of computing devices — with many different vendors’ processors and operating systems — are susceptible to these exploits.”

Intel went on to say that for the “average computer user,” performance impacts “should not be significant and will be mitigated over time.”

This prompted one contributor to a popular HPC mailing list to respond: “We, ‘non-average computer users,’ are still [verb of your choice here].”

As this issue was still coming to light, the US government issued a dire statement (on Jan. 3), implying the problematic CPUs were essentially unsalvageable. “The underlying vulnerability is primarily caused by CPU architecture design choices. Fully removing the vulnerability requires replacing vulnerable CPU hardware,” wrote US-CERT, the computer safety division of Homeland Security.

A revised version of the notice offers less extreme, but vague, guidance. Affected parties are now advised that “operating system and some application updates mitigate these attacks.”

There is still a lot of uncertainty about the full ramifications of these major flaws. AMD and ARM have also released statements:

The impacted tech companies have known about the flaws for months and have been working to solve the issues before making a public disclosure. This is common practice to stay ahead of ill-intentioned hackers, but the timing is bringing attention to a major stock sale made late last year by Intel CEO Brian Krzanich. In November, Krzanich sold off $39 million worth of company stock and options (for a $24 million gain), reducing his share down to the bare minimum required by his contract with Intel. The scope of the transactions were within permissible bounds but questions are now being raised as to whether knowledge of hardware vulnerabilities could have prompted the sell-off. A spokesperson for Intel said Krzanich’s sale was “unrelated.”

Computing professionals have taken to mailing lists, social media forums and message boards to vent frustrations and discuss strategies for addressing security and performance requirements. There is already talk of seeking compensation for lost performance. Even modest performance hits will take a toll on HPC systems, which can comprise hundreds or thousands of nodes. It is yet to be determined how much of a penalty the KPTI patch will extract for typical HPC workloads and usage patterns. We will continue to follow this developing story closely.